I'm looking for help related to three questions:
1) How do I get additional information about what is causing the error?
Why is systemd blocking sudo despite the modifications in the override.conf
2) More generally: How can I run openvpn in a daemon as user vpn with
the ability to use sudo in a learn-address-script?
3) Would it be appropriate to file a bug report against systemd at this
stage?
Thanks in advance,
kind regards
Dominik

My understanding is that for this workaround it should contain something like:
Service]
CapabilityBoundingSet=CAP_AUDIT_WRITE
Another approach is to run
systemctl edit openvpn@.service
and in your $EDITOR write and save the same, i.e.
[Service]
CapabilityBoundingSet=CAP_AUDIT_WRITE
Apparently "CapabilityBoundingSet=" (empty) also works.
If that's what you've already done or I've misunderstood any or everything,
sorry, mate.